Securing ADF Applications Using the Oracle E-Business Suite SDK JAAS Implementation
By Juan Camilo Ruiz on May 02, 2012
In the previous post on the series of ADF integration with Oracle E-Business Suite, I covered how to setup and use the Oracle E-Business Suite SDK for Java to create a data source for accessing Oracle E-Business Suite data from our ADF applications in read-only form.
In this post we are going to explore another feature of the Oracle E-Business Suite SDK for Java, the implementation of JAAS (Java Authentication and Authorization Services). Using this implementation we can use E-Business Suite users and roles to restrict access to specific parts of external Java EE applications. You can find a very nice explanation about this feature on the following post from the Oracle E-Business Suite Technology Team blog.
You will need to setup your runtime environment (WebLogic Server) and afterwards configure you ADF application to point to the right resources. Both steps are well explained in My Oracle Support Knowledge Document 974949.1. In this article I will provide a high level overview of the steps that are provided on the document, highlighting areas where it’s easy to make mistakes and hopefully these can help you to get everything working successfully.
First you need to set up the AppsDataSource on your WebLogic Server server in order establish the communication channel with the Oracle E-Business Suite instance. Follow the instructions from the document in the section Configuring AppsDataSource and Configuring AppsDataSource on Oracle WebLogic Server (WLS):
The second step is to create and setup a default realm on WebLogic that enables users and roles provisioning directly from E-Business Suite. In E-Business Suite users and roles are stored in specific database tables, so the new realm will make use of the AppsDataSource defined on the first step. All of the steps are described on the note in the section: JAAS Configuration for Oracle WebLogic Server 10.3.5.0. When setting the realm you need to pay attention to the following steps; if not executed correctly they could cause problems later on:
- External Authenticator: By default, WebLogic server doesn’t provide the external authenticator which is used to authenticate against E-Business Suite. During the AppDataSource setup you are going to use the fndtext.jar that comes with the patch from My Oracle Support, and you recompile it using the following command:
java -classpath /tmp/mysrc:$CLASSPATH -DMJF=/tmp/mysrc/fndext.jar -Dfiles=/tmp/mysrc weblogic.management.commo.WebLogicMBeanMaker
If the command is executed correctly and doesn’t throw any errors, on creating the new realm you will be able to select ExternalAuthenticator from the list of authentication providers.
- DataSource: Another area where you need to be careful is at the time of specifying which datasource to use for the realm. Make sure the JNDI name that you have given the your AppsDataSource matches the one to be used by the realm.
After completing all the steps you should have 2 realms on your WLS, having the newest one as the default one.
An interesting aspect of the integration is that you can leverage ADF Security to use the E-Business Suite JAAS implementation without manually editing configuration files as is the case with Java EE applications.
Please be clear that all the E-Business Suite roles to be used in the ADF application need to be defined as Enterprise Roles. Also, you do not need to create users for the application given that all them would come from Oracle E-Business Suite. However, you could define application-specific roles, but those roles need to map one of the enterprise roles.
When you are ready to deploy make sure you uncheck all the options related to users and groups. You don’t need those.
Now your application should be working and authenticating against E-Business Suite.
Here is a video that shows an ADF Application using the E-Business Suite SDK for Java JAAS implementation.